Some Valuable Tips & Tricks
NOTE: Nothing on this particular page is guaranteed to work in every case. The Tips & Tricks provided herein have worked for me personally in the past but are in no way provided as a total solution to any particular problem. ADL Datacomm will not be held responsible for any malfunction after implementing any of these suggestions. These ideas are provided without liability and with no guarantee expressed or implied. Although we have used each one of these, they are supplied as 'use at your own risk' suggestions only.
Unknown packets from 127.0.0.1:80
There have been so many questions about this I had to post an article.
The reason that people are seeing this has to do with some very bad advice that was given early in the blaster outbreak. The advice basically was that to protect the Internet from the DoS attack that was to hit windowsupdate.com. Admins were told that all DNS servers should return 127.0.0.1 for queries to windowsupdate.com.
Essentially these suggestions were suggesting that hosts should commit suicide to protect the Internet.
The problem is that the DoS routine spoofs the source address, so when windowsupdate.com resolves to 127.0.0.1 the following happens.
-
Infected host picks address as source address and sends Syn packet to 127.0.0.1 port 80. (Sends it to itself) (This never makes it on the wire, you will not see this part)
-
TCP/IP stack receives packet, responds with reset (if there is nothing listening on that port), sending the reset to the host with the spoofed source address (this is what people are seeing and mistaking for port scans)
To clear that up here's a step-by-step
Blaster infected host tries to DDoS windowsupdate.com.
It looks it up in DNS, and a DNS admin who followed some bad advice set windowsupdate.com to resolve to 127.0.0.1
blaster crafts a packet with a spoofed source and 127.0.0.1 as the destination,
the packet is
then sent over the loopback on port 80.
The networking stack then thinks it is a stale connection because the
sequence numbers are not
what it is expecting, so it sends a RST back to the spoofed source address
(which is now the destination address).
Viola, packets to you on port 80 from 127.0.0.1.
These descriptions are the works of Dan Hanson and Will Boege respectively and can be viewed in the archives of the General Discussion List @ Dshield.org.